If you make the Raspberry Pi accessible via the internet then it must be properly secured.
SSH
We have already secured SSH access with keys, so access with a password is no longer desirable. Amend file /etc/ssh/sshd_config. It is a large file so let’s open the file from WinSCP with Notepad ++.
Make sure that the following lines are in the file:
- Check: ChallengeResponseAuthentication no
- #PasswordAuthentication yes change to: PasswordAuthentication no
- Change UsePAM yes to: UsePAM no
After saving, the SSH service must be restarted: sudo service ssh restart
Now try to log in via user + password. That should be impossible. Do this for example via a new site in WinSCP.
Database
As a sudoer, you can log in to the database with the root user without a password. It might be better to secure the root user of the database with a password.
- Login to the database with command: sudo mysql -u root
- Type in the mysql prompt: use mysql;
- Type:
- UPDATE user
SET plugin = ‘’, authentication_string=PASSWORD(“< a strong password>”)
WHERE User=’root’;
- Type: FLUSH privileges;
Close the mysql session with: quit
You can now no longer log in to mysql without a password.
You now have to login with: mysql -uroot -p
Note: no space between -p and the password!
Firewall
Install via command: sudo apt-get install ufw
Then set up the required ports
• sudo ufw allow ssh
• sudo ufw allow 80/tcp
• sudo ufw allow 443/tcp
If everything is configured then activate the firewall: sudo ufw enable
and check if everything is to your liking with: sudo ufw status
The configuration opens ports in the firewall. We must prevent undesirable behavior on these ports. We install fail2ban for that:
sudo apt-get install fail2ban
To activate the configuration copy:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Then restart: sudo service fail2ban restart
Pi user
The pi-user exists on every Raspberry pi and can therefore not be used for safety reasons. Creating a sudo-user to replace the user pi is therefore a good idea.
Keep in mind that certain features of the Raspberry pi Desktop are hard-coded associated with the pi-user! After deactivating the pi-user, this will no longer work!
sudo useradd – groups sudo-m
sudo passwd
Enter a password for the new user.
If you want to be able to run sudo without a password with , you must place a file in /etc/sudoers.d. Take file 010_pi-nopasswd as an example.
Copy /home/pi/.ssh/authorizeds_keys to the corresponding location of the and adjust owner and group to the new user.
Finally: sudo passwd –lock pi
You can no longer log in with the pi-user. Also remove /home/pi/.ssh
Automate updates of the software
Install: apt-get install unattended upgrades
Add the lines below to the “Unattended-Upgrade :: Origins-Pattern” section in file /etc/apt/apt.conf.d/50unattendedupgrades.
"origin = Raspbian, codename = $ {distro_codename}, label = Raspbian";
"origin = Raspberry Pi Foundation, codename = $ {distro_codename}, label = Raspberry Pi Foundation";
Normally there is no reboot, even if desireable. You can change the automatic reboot rule:
// Unattended-Upgrade :: Automatic-Reboot “false”;
to
Unattended-Upgrade :: Automatic-Reboot “true”;
Previous pageNext page